Documentation Home
MySQL Enterprise Monitor 3.0 Manual
Related Documentation Download this Manual
PDF (US Ltr) - 5.2Mb
PDF (A4) - 5.2Mb
EPUB - 3.7Mb
HTML Download (TGZ) - 3.6Mb
HTML Download (Zip) - 3.6Mb


MySQL Enterprise Monitor 3.0 Manual  /  ...  /  Creating MySQL User Accounts for the Monitor Agent

5.2 Creating MySQL User Accounts for the Monitor Agent

The MySQL Enterprise Monitor Agent requires a user configured within each MySQL instance that is being monitored with suitable privileges to collect information about the server, including variable names, replication, and storage engine status information.

The Agent requires the Admin user, and can optionally use General or Limited users, or both, depending on the system's security requirements. During the installation process, you are prompted to create General and Limited users. You can allow the agent to connect to the database using the Admin user for all tasks but it is recommended to create the General or Limited users for tasks which do not require root access to the database. It is not necessary to create both users. It is possible to create one or the other. The Agent uses the user with the lowest, required privileges for the query and changes to a user with higher privileges only if the query requires it.

Important

All configured users are checked to ensure they have the correct privileges. If they do not have the required privileges, the connection is regarded as a bad connection and added to the Bad Connections list on the MySQL Instances dashboard.

  • Admin: Typically this is the 'root' user, otherwise it a user that has the SUPER privilege, and has CREATE and INSERT privileges on the schema the inventory table will be created on (the inventory table stores unique identifiers for the MySQL instance, and is created in the mysql schema by default). The SUPER privilege is required to temporarily switch off replication when creating and populating the inventory table, as well as running certain statements such as SHOW MASTER LOGS or SHOW ENGINE INNODB STATUS, depending on the version that is being monitored.

    If you choose to Auto-Create Less Privileged Users, this Administrative user also creates those with the required privileges to monitor this instance. In this case, this user should also have the CREATE USER, PROCESS, REPLICATION CLIENT, SELECT, SHOW DATABASES privileges globally WITH GRANT OPTION, and UPDATE on the performance_schema.threads table.

  • General: This optional user handles general monitoring tasks that do not require SUPER level privileges. Lower privileged users are used until higher privileges are required. In which case, MEM temporarily logs in as the SUPER privileged user, and then falls back to the general user.

    If you are manually managing this user, it should have at least the PROCESS, REPLICATION CLIENT, SELECT, and SHOW DATABASES privileges globally, and UPDATE on the performance_schema.threads table. If you intend to use EXPLAIN on views, you must also grant SHOW VIEWS.

    Important

    You must grant the SUPER privilege to the General user. The agent requires this privilege to use the SHOW BINARY LOGS statement on the monitored instance.

  • Limited: This optional user is used for statements that should be limited to a single connection.

    Examples of these types of statements include getting database metadata from INFORMATION_SCHEMA tables (which with large numbers of databases and tables can become costly), or any custom SQL that is used to monitor application specific statistics.

    If you are manually managing this user, it should have at least the SELECT and SHOW DATABASES privileges globally, and UPDATE on the performance_schema.threads table. If you intend to use EXPLAIN on views, you must also grant SHOW VIEWS.

Creating the Admin User

If you do not want to supply the root user information to the installer, create a user manually within your MySQL server and provide these credentials as the agent user/password combination during installation. The privileges required for this user account vary depending on the information you gather using the MySQL Enterprise Monitor Agent. The following privileges allow the Monitor Agent to perform its assigned duties without limitation:

  • SHOW DATABASES: The MySQL Enterprise Monitor Agent can gather inventory about the monitored MySQL server.

  • REPLICATION CLIENT: The MySQL Enterprise Monitor Agent can gather Replication master/slave status data. This privilege is only needed if you use the MySQL Replication Advisor Rules.

  • SELECT: The MySQL Enterprise Monitor Agent can collect statistics for table objects.

  • SUPER: The MySQL Enterprise Monitor Agent can execute SHOW ENGINE INNODB STATUS to collect data about InnoDB tables. This privilege is also required to obtain replication information using SHOW MASTER STATUS, and to temporarily switch off replication when populating the mysql.inventory table used to identify the MySQL instance.

  • PROCESS: When monitoring a MySQL server running MySQL 5.1.24 or above with InnoDB, the PROCESS privilege is required to execute SHOW ENGINE INNODB STATUS.

  • INSERT: Required to create the UUID required by the agent.

  • CREATE: The MySQL Enterprise Monitor Agent can create tables. During discovery, the agent creates the table inventory within the mysql database that stores the UUID for the server. Without this table, the agent cannot determine the UUID of the server, which it sends along with other information to MySQL Enterprise Service Manager.

  • UPDATE on the performance_schema.threads table. This is done to prevent SQL Statement Generates Warnings or Errors events which can be triggered by EXPLAIN plans run by the Query Analyzer. These warnings are generated because the Performance_Schema captures only 1024 characters of each query. Granting this privilege enables the connection to Performance_Schema to be dropped before the EXPLAIN and reconnected after the EXPLAIN finishes.

    Note

    If you manage your General and Limited users manually, you must also grant this privilege to those users.

For example, the following GRANT statement gives the agent the required SELECT, REPLICATION CLIENT, SHOW DATABASES and SUPER rights:

GRANT SELECT, CREATE USER, REPLICATION CLIENT, SHOW DATABASES, SUPER, PROCESS
  ON *.*
  TO  'mysqluser'@'localhost'
  IDENTIFIED BY 'agent_password';
Note

When using Auto-Create Less Privileged Users, also add WITH GRANT OPTION to the above query.

For security reasons, you might limit the CREATE and INSERT privileges to the agent so that it can only create tables within the mysql database:

GRANT CREATE, INSERT
  ON mysql.*
  TO  'mysqluser'@'localhost'
  IDENTIFIED BY 'agent_password';

To let replication discovery work, grant the SELECT privilege on the mysql.inventory table for each user with replication privileges on the corresponding replication master. This is required to let the MySQL Enterprise Monitor Agent read the replication master UUID. For example:

GRANT SELECT
  ON mysql.inventory
  TO  'replicationuser'@'%'
  IDENTIFIED BY 'replication_password';
Note

Perform this step after after running the agent on the corresponding MySQL server to ensure that the mysql.inventory table is created correctly. Run the agent, shut the agent down, run the above GRANT statement, and then restart the agent.

If the agent cannot access the information from the table, a warning containing this information is written to the agent log.

Note

You might disable logging for the grant statement to prevent the grant information being replicated to the slaves. In this case, execute the statement SET SQL_LOG_BIN=0 before executing the above GRANT statement.

Creating the Limited and General Users

If the Admin user has the necessary privileges to create other users, you can check the Auto-Create Less Privileged Users checkbox, enter credentials for those users, and they are created for you.

If the Auto-Create Less Privileged Users box is unchecked and the credentials for the General and Limited users blank, the Agent only uses the Admin user for monitoring.

If the Auto-Create Less Privileged Users box is unchecked, you can enter credentials for the General and Limited users. If you define these users. you must create them on the monitored assets manually. The installer attempts to validate these users and displays a warning message if they are invalid. The installation process continues, and the Agent works properly, but you must create those users later.

In a typical configuration, the Agent runs on the same host as the MySQL server it is monitoring, so the host name is often localhost. If the Agent is running on a machine other than the monitored MySQL server(s), then change localhost to the appropriate value. For more information about remote monitoring, see Section 5.9, “Configuring an Agent to Monitor a Remote MySQL Server”.


User Comments
Sign Up Login You must be logged in to post a comment.